[Security is a multi-layer topic, including physical, hardware, bootstrapping, storage, and other aspects. This article focuses only on the access control among server workloads within a data center.]
There are tons of Firewall/VPN appliances within pretty much every enterprise data center but close to none within Google’s. How can Google stay away from deploying the traditional firewalls while having access control among its data center apps?
The technical answer is that Google pushes access control, authentication, and authorization closer to the app layer rather than doing it at the networking layer. Effectively, Google is baking access control into the app, instead of enforcing it at network layer.
Google’s method makes access control immutable, portable, and scalable: the app-to-app, service-to-service data center interior access control no longer relies on humans or scripts to provision the right security posture at the right place at the right time. Control is based on the true identity of the app, not the network header as the proxy of the identity; there is no more error-prone “after-thought” security coordination back and forth between app folks and ops folks.
Despite the benefit, there has been an age-old debate between app-level and network-level security control. Historically, enterprise data centers have chosen the “after-thought” network-level security model because it made sense for the traditional environment: most data centers ran packaged software, workloads trusted their internal networks, and there was a separation of duty.
Even though app-centric model did not fit enterprise well in the past, the dynamics are changing. The cloud native app wave will change the way enterprise secure data center workloads:
- In-house custom software is going to dominate the data center: Traditionally, an enterprise data center ran a lot of packaged software (e.g., Exchange). The practical way enterprises can protect this type of workload is from outside of the package software. But, companies are converting the traditional packaged software into software as-a-service (SaaS) consumption (e.g., Office 360), so security for packaged software is no longer an interior requirement. The enterprise is going to run predominantly in-house developed custom software differentiating their business. For those apps, “baked-in” security is a viable approach because the enterprise owns the app code and design.
- Interior security is as important as the perimeter security: Traditional enterprise workloads typically have a decent amount of trust on their internal network and there is less need to do access control to each and every single workload, so the traditional segmentation or micro-segmentation technology serve the use case well. Google’s security requirement is based on “zero-trust” and it does not assume the interior network is a single bit more secure than the public Internet. The traditional network-based access control cannot scale at this level. But enterprises will start caring about the interior security as much as perimeter security too: among many reasons, the “interior” may reside on a public or hybrid cloud now. The app-based “baked-in” model is more desirable because of its scalability and portability.
- Organization going DevOps: Traditionally, there has been a separation of duty between Dev and Ops. This created a boundary between Dev and Ops in a way that the “after-thought” network-based security model actually fits the day-to-day workflow squarely well. While some separation of duty will remain, DevOps will naturally push developers to be involved in security where and when it makes sense. The rate of changes in app lifecycle is increasing dramatically, as evidenced by the momentum in Docker and Microservices. App components come and go, scale up and down. The network-based “after-thought” approach simply will not keep up with the pace of change, and app-based security will have to step up.
The net is today’s “after-thought” security model and served the industry very well in the last two decades. With the emergence of cloud native apps, the acceleration of the cloud adoption, and the embracing of DevOps, the enterprise will look for security practices matching the cloud native wavelength too. The “after-thought” to “baked-in” security paradigm shift is not going to happen overnight, but some exciting time is ahead for cloud security industry!